Group effort: Effective cybersecurity requires participation from all

This feature first appeared in the Fall 2015 issue of Certification Magazine. Click here to get your own print or digital copy.

Ask a random person on the street what cybersecurity means to him or her, and you might get a response that refers to the most recent big data breach. It’s hard to ignore being constantly told by major news outlets that the “private” in “private information” is a bad joke, and that not a single person who has ever entered so much as their favorite color into an online form is safe from black market traders, unscrupulous governments, internet hacktivists, and whatever other threats you can possibly imagine.

Push the question a little further, and your random person on the street might tell you all the things they do to stay safe online — and all the things they don’t do. At the very least, you would probably conclude that awareness of cybersecurity issues has dramatically increased in the public sphere. Awareness is, to be sure, a crucial step in bolstering security, whether in a corporate context or a more personal one. But awareness is not enough.

As members of a digital, networked society, we shouldn’t simply be aware of our problems. Rather, we should be fixing them. We often fail to do that, though, choosing instead to just accept bad outcomes rather than address their root causes.

This is completely understandable when you think about the fact that security problems often seem insurmountable. What can we as individuals do, even if it’s just to protect our own personal information? There are too many points of failure, too many factors that are out of one person’s hands.

So rather than struggle independently with rudimentary tools and limited help from others, the most logical choice is to shift our focus and embrace a new standard: a culture of cybersecurity. To put it another way, we need a collective effort to share valuable security knowledge, strategies, best practices, and more with our fellow digital citizens. If we want effective cybersecurity, then all of us have to play a part.

What’s In It for Me?

There’s some truth in saying that laziness is a key element of human nature, but that excuse is too simplistic and too dismissive. It’s not that we can’t be bothered to exercise due diligence, it’s that we haven’t been properly motivated. “What’s in it for me?” is a fundamental unspoken question of cybersecurity — one that demands our attention.

When we cast blame on average users for failing to regularly change their many passwords across many different sites and systems, we seem averse to understanding why they’ve failed to do so. Only when it is too late, when users’ own identities are stolen, do they acknowledge the importance of such a security practice.

What impetus did they have to incorporate this practice sooner, though? Too often, they’ve simply been told what to do without truly understanding why they need to do it. Maybe they read a brief “Top 10 User Security Guidelines” article on the web, or maybe a colleague hurriedly mentioned a few personal security tips on a lunch break. Maybe their employer sent out a security-minded email that the user didn’t really take seriously. While these actions provide a decent start, they aren’t sufficient. Superficial commentary alone won’t foster an adequate or comprehensive cybersecurity culture.

The key to fostering this culture, then, is substance. One of the most substantive ways to inspire others to be proactive is to get them to relate to the situation. People often fall into the trap of thinking about their computer use too abstractly, as if what they do online is far removed from actual real-world consequences. To get them to understand the gravity of their digital actions, we need to get them to shed this outdated mode of thinking.

When the average computer user leaves his house to go to work, he locks the front door. What about when he leaves his desk to go to lunch? Does he leave his workstation unlocked for any passerby to use? Just like physical doors, we open cyber doors all the time — and when such doors open to something personal or sensitive in nature, we must lock them behind us to keep that information secure.

Not everything in the cyber world has an analogue in the real world, and that can present a unique challenge in fostering a security-conscious climate. To go back to the passwords example, the average homeowner probably doesn’t visit a locksmith every month to have the key to her front door changed.

If you can communicate to users, however, that time is a critical component of any hacker’s attempt at brute force password cracking, then the importance of regularly changing passwords becomes more obvious. In this case, the answer to “What’s in it for me?” is easy: You stay one step ahead of attackers who are always refining their methods, and your critical information stays safe.

A Culture of Continuous Monitoring

An effective cybersecurity culture has many dimensions, but one of the most important is continuous monitoring. For all of us as users, being able to monitor our online presence for misuse is crucial. Unfortunately, it’s easy to feel that one’s online presence is stretched thin, and that much of it is beyond one’s control. That’s why it’s helpful to keep an inventory of your website accounts, passwords, and e-mail addresses.

Password managers like KeePass and LastPass make this much easier, while also using encryption to keep the inventory confidential. You can also use e-mail as a hub for all of your other account activity. Many websites and services have options to send e-mail alerts when key account configurations change. The quicker you’re informed about these changes, the quicker you can confirm — or deny — their validity and take appropriate action.

This can mean the difference between finding out immediately that a hacker has changed your online bank account password, and finding out when you next sign in — after a massive withdrawal has been finalized.

It’s not just end users who need to contribute to a strong cybersecurity culture — businesses have a lot of catching up to do as well. Just like with users, continuous monitoring is essential. Minding your data, whether in transit or at rest, is a proactive approach to security that is often sorely lacking in the enterprise world.

Many of the breaches that we’ve all heard about weren’t noticed until months, or even years, after the breach actually happened. Attackers exfiltrated data off servers so long ago that it’s hard to know exactly what was stolen. This is the last position you want your business to be in, and it’s vital to have solutions like Security Information and Event Management (SIEM) always keeping your cybersecurity personnel up-to-date on any suspicious activity right when it happens.

Speaking of personnel, you need to keep your security operations up-to-date using more than just technical controls like SIEMs. Your security workforce, especially your front-line men and women, are your most valuable assets. They shouldn’t be given a task and forgotten about; they need to stay current in this rapidly changing security climate.

After all, it’s the people in your organization who spread and maintain your culture, not the automated machines and software. There’s no better way of assuring the growth and development of a strong culture of security than through training and certification. Taking a master class and earning a certification, such as the CyberSec First Responder: Threat Detection and Response credential offered by Logical Operations, will prepare your team to face any threat.

Don’t wait another week, or month, to start changing the culture around you. Take action today, whether it’s pursuing a cert, upgrading security software and tools, or even just changing those long-dormant passwords. The more effort that each of us puts into creating a culture of cybersecurity, the brighter our shared digital future will be.

ABOUT THE AUTHOR

Erdal Ozkaya is an Australian IT security professional with business development and management skills. He is currently CISO at EMT Corporation. He has multiple academic degrees and IT credentials, including EC-Council’s Certified Ethical Hacker and Licensed Penetration Tester.